Privacy Policy

Last updated: 2026-06-26

This Privacy Policy explains how PayRescue ("PayRescue", "we", "us") collects, uses, and protects personal data. It is written to meet the requirements of the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA/CPRA).

Two distinct roles. For data about our customers (the businesses that sign up for PayRescue) we act as a data controller. For data about our customers' end-customers — the billing metadata we process to recover failed payments — we act as a data processor on behalf of our customer, who remains the controller.

1. Who we are (Controller)

PayRescue is operated by 9GG LLC, 30 N Gould St, Ste R, Sheridan, WY 82801, USA. 9GG LLC is the data controller. Privacy contact: support@9gg.app. Where required, our EU/UK representative can be reached at the same address.

2. Data we collect

From our customers (we are controller)

Account data: email address, hashed password, plan, organisation (tenant) identifiers, account timestamps.
Billing/connection data: Stripe account connection details and configuration needed to run recovery.
Usage & technical data: log data, IP address, device/browser information, and cookies (see our Cookie Policy).

End-customer billing metadata (we are processor)

To recover failed payments on behalf of our customer, we process metadata about that customer's end-customers, such as: name, billing email, failed invoice amounts and currency, decline/failure reasons, card last-4 and expiry indicators, retry attempt history, and hosted invoice/card-update links. We never receive or store full card numbers — card updates take place on Stripe's hosted, PCI-DSS-compliant pages.

3. Lawful bases for processing (GDPR / UK GDPR)

Contract (Art. 6(1)(b)): to create and operate your account and provide the recovery service.
Legitimate interests (Art. 6(1)(f)): to secure, maintain, and improve the service and prevent fraud.
Legal obligation (Art. 6(1)(c)): to meet accounting, tax, and compliance requirements.
Consent (Art. 6(1)(a)): for non-essential cookies and optional communications, withdrawable at any time.

For end-customer billing metadata, the lawful basis is determined by our customer (the controller); we process it only on their documented instructions under a data processing agreement.

4. How we use data

Detect failed Stripe charges, run the retry ladder, and send tone-laddered recovery emails with a card-update link.
Compute and display recovery metrics (the ROI dashboard).
Authenticate users, secure the service, and provide support.
Comply with legal obligations and enforce our Terms.

5. Sub-processors & third parties

We share data only with the processors needed to deliver the service:

Processor	Purpose	Data involved
Stripe	Payment processing; failed-charge detection; retries; hosted card-update pages. We handle our customers' end-customers' billing data via the connected Stripe account.	Billing metadata, invoice/charge data, card last-4 (never full PAN)
Resend	Transactional & recovery email delivery	Recipient email, message content
DeepSeek / Anthropic	AI generation of recovery email copy	Non-identifying context used to draft messages
Hosting provider	Application and database hosting	All stored data, at rest

Each processor is bound by a data processing agreement. We do not sell personal data.

6. International transfers

Some processors are located outside the EEA/UK (for example, in the United States). Where data is transferred internationally, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and adequacy decisions where available.

7. Data retention

We keep account data for the life of the account and for up to 24 months afterward, or longer where required for legal, tax, or accounting purposes. End-customer billing metadata is retained only as long as needed to provide recovery to our customer, or until our customer instructs deletion, after which it is deleted or anonymised.

8. Your rights

Subject to applicable law, you have the right to access, rectify, erase, restrict, or object to processing, to data portability, and to withdraw consent. Under GDPR/UK GDPR you may also lodge a complaint with your supervisory authority (e.g. the UK ICO or your EU Data Protection Authority).

California residents (CCPA/CPRA)

You have the right to know what personal information we collect, to request deletion or correction, to access it, and to be free from discrimination for exercising your rights. We do not sell or share your personal information as those terms are defined under the CCPA/CPRA. To exercise the Do-Not-Sell/Share right or any other right, contact support@9gg.app.

Do Not Sell or Share My Personal Information. PayRescue does not sell or share personal information for cross-context behavioural advertising. If this changes, we will provide an opt-out mechanism here.

9. Security

Passwords are hashed (scrypt); sessions use signed, HttpOnly cookies. We apply access controls, encryption in transit, and the principle of least privilege. No method of transmission or storage is 100% secure, but we work to protect your data.

10. Children

PayRescue is a B2B service not directed to children and we do not knowingly collect data from anyone under 16.

11. Changes

We may update this policy; material changes will be posted here with a revised "Last updated" date.

12. Contact

PayRescue, operated by 9GG LLC, 30 N Gould St, Ste R, Sheridan, WY 82801, USA · support@9gg.app